Multiple Malwares- Need Help!!!!

I got a hold of my daughters neglected computer and uninstalled her outdated Norton AV and Spybot S & D. I installed Spybot 1.6, ran it and found 168 various tracking cookies and 5 forms of malware...Smitfraud-c, IRC.crt, and 3 flavors of Virtumonde (Vertumonde, Vertumonde.generic and Vertumonde,sci)
I let SpyBot take care of everything, but the registry keys end entries. My error was not looking at the big picture, trying to tackle them one at a time. I down loaded a fix for the most annoying, Smitfraud-c, from this forum, ran it in safe mode and it seem to do the job. Here's where I think I blew it..I left this site. I was Googling for a fix for the IRC.crt and found the Combo fix on what I thought was a forum (xxx.BleepingComputer.com/forums) When I tried to run it, it disabled my wireless internet USB connection. It won't allow me to run SpyBot to see what I contracted, even in safe mode. Every time I boot up, I get a warning from SpyBot, but as soon as I move my curser, it sticks a floating point error on top of it and after fruitless times of hitting OK, it then tells me SpyBot has created an error and must close. I've tried booting from the Windows disk, but can't. It does let me read the disk after I've reached the desktop. I'm writing this from another computer that I'm building and hope to down load some cures and bring them in by USB thumb drive. I've been downloading the Windows XP Cleaning Procedure, but have been unable to have any success with Malwarebytes Anti-Malware. I've enclosed the build, camera pics (it won't let ScreenShot run when the warning's there) of the warning from SpyBot and the bogus floating point error. Is there someone who can help me clean up this mess?

 

Welcome! to MajorGeeks.com!

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!
4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

 

Thanks for your help, I hope this isn't considered a bump..if it is, I apologize, I'm new at this. In the past, I've solved my problems by reading other peoples' posts. Anyway, I've managed to establish an internet connection and downloaded everything on the Windows XP Cleaning Procedure page, including a fresh copy of SpyBot S&D v1.6.2. I tried to uninstall the version on that computer because I checked the "tea time" and it blocks me every time I try to open it or uninstall it. Can I uninstall it in safe mode? In the error message that I sent you, I changed the name of the file from frmwrk32.exe to ffrmwrk32.exe in the Windows/system32. folder I realize now, that was a registry value, not a file. Is that screwing me up also? I have a screen shot of one of the latest error messages. One last thing....Can you please tell me how to create a Log and post it? I've never had to do it, so I never learned. Thanks again for your help....sealevel

 

Please read the instructions very carefully. Go back to the READ ME and read the article for the OS you have, it explains everything. Once complete, attach your logs.

 

This isn't a good idea because every computer is different and every thread is different. Just because two threads have the same infection doesn't mean the fixes will be the same.

 

I'm going to assume that since you responded to my last post, that this won't be considered a bump. I ran all the programs for cleaning Windows XP and I believe that has cured my problems. I'm attaching the logs as requested. It seemed like the system was cured after running Malwarebytes. The system booted up faster and responded quicker than it has in awhile. Then, I ran Combo Fix and the system developed some "jerky' cursor movements. I ran MGtools and after booting up and using the system a couple of times, that seems to have resolved itself. One last thing, your probably wondering why the F: is the C:. It was my first build using a SATA drive and I think I had too much hooked up for the initial boot. (floppy has a card reader in it and I had a zip drive on the primary IDE.) I was going to fix it, but my daughter needed something in a hurry and you know the rest. Thanks again for your help, I've learned a lot...

 

Here's the remainder of the logs and a BIG THANKS for your help...sealevel

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 2:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 3:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 5:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.